Another day, another data breach — thanks to misconfigured cloud-based systems. This summer’s infamous Capital One breach is the most prominent recent example. The breach resulted from a misconfigured open-source web application firewall (WAF), which the financial services company used in its operations that are hosted on Amazon Web Services (AWS).

Sales teams talk about ‘synergy’ and ‘paradigm shifts.’ Technology professionals bandy about ‘next-generation,’ ‘disruptive,’ and ‘cutting-edge.’ But no matter how many times otherwise intelligent people claim to “leverage their technology to…” it won’t lever the noun ‘leverage’ into a verb.

Every data breach and online attack seems to involve some kind of phishing attempt to steal password credentials, to launch fraudulent transactions, or to trick someone into downloading malware. In early 2016, 93 percent of phishing emails delivered ransomware, according to statistics from PhishMe.

Enterprises regularly remind users to beware of phishing attacks, but many users don’t really know how to recognize them. One reason for this is the fact that these attacks can take many forms. “Phishing attacks come in all shapes and sizes, targeting specific individuals within an organization who have access to sensitive data,” says Area 1 Security’s Shalabh Mohan.

Hack back doesn’t need to be a dirty word. According to security startup Cymmetria, organizations and individuals can employ a number of attack tools to disrupt attacker operations, as long as the security teams stay within their own network. There is no need to go after attacker infrastructure on foreign servers when the attackers set shop right in the organization’s infrastructure.

“I can’t attack the attacker where he lives, but I don’t have to. I can stop him while he is in my network,” said Gadi Evron, founder and CEO of Cymmetria.

Talking about password security is a guaranteed crowd-snoozer, a surefire way to make people shut down and tune out, but the reality is that passwords are still important. Email or social media, online banking or gaming, educational applications or online services—anything that keeps some kind of user data still depends on passwords to keep miscreants out. Attackers will continue merrily looting bank accounts and taking over online services if users don’t step up and use better passwords.

We all know the basics—don’t use “password” and don’t repeat the same password across different accounts. Turn on two-factor authentication on online accounts wherever possible—one-time passwords via SMS messages is still better than nothing. Use a password manager to track all the passwords. Unfortunately, a lot of password advice sounds reasonable, but needs context to be helpful. Following are some ubiquitous password myths, clarified.

Internet Corporation for Assigned Names and Numbers (ICANN), which administers the Internet namespace, has been engaged in a multi-year effort to update the cryptographic keys used to protect the Domain Name System (DNS) from abuse. The new root zone “key signing key” (KSK) used to secure DNS was generated last year.

Internet service providers, hardware manufacturers, and enterprises that operate their own recursive name servers and use Domain Name System Security Extensions (DNSSec) validation to protect their domains, needed to update their system with the public part of the key pair by October 11. On that day, ICANN planned to “rollover,” to start using the new root zone key signing key sign domains. If the systems aren’t updated with the new public key, when the old key is finally revoked in 2018, DNSSEC validations will fail and cause DNS to break.

When Armis researchers demonstrated BlueBorne, an attack that takes advantage of vulnerabilities in the Bluetooth protocol, it was downright frightening how easily an attacker could take remote control over the device.

View all files saved on the device? Sure—and it’s a snap to encrypt those files as part of a ransomware attack. Turn on the camera? Not a problem—and the device can eavesdrop on meetings and monitor conversations without anyone else knowing. Install malware? Done with a click and no one the wiser.

But what scared me even more was the fact that BlueBorne was just the tip of the iceberg when it comes to Bluetooth-based attacks.

Yes, there will be some tax and banking fraud as a result of the gargantuan data breach at Equifax. The biggest impact, however, will be felt by enterprises that rely on credit reporting bureaus to verify the identity of people they are doing business with.

Think employment verification, social services verification, and other forms of identity verification that rely on credit reports. These services depend on the idea that only the individual knows all the details used to verify identity, but that assumption requires ignoring the sheer amount of personally identifiable information (PII) that has been exposed over the past few years. Among the Office of Personnel Management, Anthem, and scores of other data breaches at universities, retailers, enterprises, and healthcare organizations over the last two years, a lot of PII is available for criminals to use.

Monday may be our least favorite day of the week, but Thursday is when security professionals should watch out for cybercriminals, researchers say.

Timing is everything. Attackers pay as close attention to when their victims will be online as they do crafting their campaigns. Spammers have been moving towards the traditional 9-to-5 corporate workday as they increasingly shift their focus on targeting corporate accounts. Researchers at IBM X-Force Kassel analyzed billions of spam messages gathered by its spam honeypots from December 2016 to June 2017 and found more than 83 percent of spam was sent on weekdays, with Tuesday showing the most activity, followed by Wednesday and Thursday.

]]>https://www.csoonline.com/article/3199997/don-t-like-mondays-neither-do-attackers.html
Show the proof, or cut it out with the Kaspersky Lab Russia rumorsFri, 25 Aug 2017 05:19:00 -0700Fahmida Y. RashidFahmida Y. Rashid

By nature of the job, security professionals tend to be skeptical and overly suspicious, but the good ones are also good at weighing the evidence before making their decisions. Which is why it’s so perplexing that rumors about Moscow-based security company Kaspersky Lab being in bed with the Russian government keeps swirling, absent any proof.

Report after report over the past few months show various figures in the U.S. government concerned about ties between Kaspersky Lab executives and the Russian government. The chiefs of five U.S. intelligence agencies (including the National Security Agency [NSA] and Central Intelligence Agency [CIA]) and the acting director of the Federal Bureau of Investigation (FBI) said they don’t recommend using Kaspersky Lab software during a Senate intelligence committee meeting in the spring.

Amazon offers a number of excellent tools to help enterprises keep their data and applications safe in the cloud. Last year, Amazon unveiled Amazon Inspector, its host-based application vulnerability assessment tool to monitor what is installed and configured on each virtual Instance. This year, it’s Amazon Macie, a security service designed to automatically discover and protect sensitive data stored in AWS.

As organizations move more of their data to Amazon’s various cloud offerings, security teams have the unenviable task of continuously tracking the data to identify, classify and protect sensitive pieces of information such as personally identifiable information (PII), personal health information (PHI), regulatory documents, API keys, secret key material and intellectual property.

Software development relies heavily on trust, especially when it comes to open source components. JavaScript developers recently got a reminder just how fragile the trust model is with the news that 39 malicious packages were removed from npm, the Node.js package management registry.

Between July 19 and July 31, an account named hacktask published a series of packages on npm with names that were similar to existing npm packages, wrote npm CTO CJ Silverio. Packages are used by developers to implement common functions without having to write the code from scratch. If developers aren’t careful and add the wrong packages as dependencies to their code, they wind up with malicious code in their applications. “The package naming was both deliberate and malicious—the intent was to collect useful data from tricked users,” Silverio said.

As enterprises get better about encrypting network traffic to protect data from potential attacks or exposure, online attackers are also stepping up their Secure Sockets Layer/Transport Layer Security (SSL/TLS) game to hide their malicious activities. In the first half of 2017, an average of 60 percent of transactions observed by security company Zscaler have been over SSL/TLS, the company’s researchers said. The growth in SSL/TLS usage includes both legitimate and malicious activities, as criminals rely on valid SSL certificates to distribute their content. Researchers saw an average of 300 hits per day for web exploits that included SSL as part of the infection chain.

Ding-dong, Flash is finally dead (well, will finally be dead in 2020). Adobe announced it will completely end support for Adobe Flash Player in 2020.

The tech press has been predicting the death of Flash for years—HTML5 was hailed as the Flash-killer, except it took the standard a while to mature to the point where it could compete head-on with Flash, Steve Jobs insisted iOS devices would never support it, and several major browsers have started not playing Flash content by default. In those cases, users must manually click to play Flash on websites. Even so, Flash seemed poised to stick around forever as some kind of a tech zombie—a number of gaming, educational and video applications continue to rely heavily on the technology—much the same way client-side Java applets and Windows XP just won’t die.

Recent global malware outbreaks WannaCry and NotPetya exposed how much enterprises struggle with patching. Staying current with the latest security patches involves testing, preparing and deploying the updates and enterprises are lagging behind as each product has its own update schedule.

It is easy to wag fingers about how it shouldn't take IT more than 60 days to deploy an update, but consider the current workload. On top of the regularly scheduled monthly updates from Microsoft and Adobe, some organizations may need to deal with the latest Cisco patches. Organizations are still working on closing the SMB vulnerability, especially the out-of-network updates for Windows XP and other unsupported systems. Enterprises with iOS devices need to prioritize the latest update to address a serious security flaw in its WiFi chip.